1 Introduction
This book defines “positive cyber peace” as a digital ecosystem that rests on four pillars:
(1) respecting human rights and freedoms, (2) spreading Internet access along with cybersecurity best practices, (3) strengthening governance mechanisms by fostering multistakeholder collaboration, and (4) promoting stability and relatedly sustainable development.
These pillars merit broad support for their emphasis on justice, good governance, and diffusion of technology to bridge the so-called “digital divide.” They were developed through a global vetting process over time and in different fora, and they represent views of technologists, civil society thought leaders, and representatives of intergovernmental organizations (see Permanent Monitoring Panel on Information Security of the World Federation of Scientists, 2009; Shackelford, Reference Shackelford2014). Nevertheless, the conceptualization of cyber peace and its pillars deserves further probing. Is cyber peace really a kind of peace? International relations and global studies theories include a substantial body of literature on peace, a condition and/or a relation that is both more capacious than the pillars and, perhaps, in some ways inconsistent with them. In addition, the pillars seem to be different kinds of things. The first refers to abstractions that are instantiated in law and take form through the practices of governments. The second is a diffusion of a technology along with technical standards. The third is a preference for a certain form of governance, and the fourth once again brings up a technical issue, but then pivots to sustainability. If the pillars are supporting an edifice, they are doing so unevenly.Footnote 1 In this chapter, I probe the ontological basis of the concept of cyber peace and uncover tensions in the meanings embedded in it.
The task begins with ontological questions about what kind of thing cyber peace is. This section draws on the definitions cyber peace advocates use to taxonomize the stated or implied assumptions about cyber peace as a condition or as a set of practices. As a condition, cyber peace is sometimes defined as a kind of peace, and at other times as something within cyberspace. Distinct modes of ontologizing cyber peace as a set of practices include cyber peace as cyber peacemaking, as maintaining the stability of information technology, and/or as cyber defense actions. The second section looks to international relations and cognate field scholarship for insight into further honing the conceptualization of cyber peace. The topics in this section include unpacking cyber as a modifier of peace, unpacking the concept of peace itself, exploring the boundaries of cyber peace by looking at how it is different from similar social things, and analyzing the implications of metaphors associated with cyber peace. The chapter concludes with a brief comment on the intent of the critique.
2 Contending Definitions
The ontological question is what kind of thing is cyber peace or would it be if it were to exist?Footnote 2 Unless practitioners and scholars can come to some kind of consensus around the ontological nature of cyber peace the project risks incoherence. As cyber peace has slipped into the lexicon, beginning around 2008, the term has been used differently by the several interlocutors who draw upon it. Cyber peace is sometimes understood as a social condition or quality, sometimes as a set of practices, and sometimes as both. In this section, I interpret some core texts to tease out differences between the meanings and discuss the theoretical consequences of the differences.Footnote 3
In drawing upon a text, I do not mean to imply that my short selections are representative of everything authors think about cyber peace, or that their definition is incorrect. Instead, I use these different articulations to show the variety of ways cyber peace is imagined. Highlighting the unsettledness of the essence of cyber peace is the point of the exercise.
3 The Condition of Cyber Peace
An early use of the word “peace” in the context of cyberspace and the Internet is a 2008 forward written by the former Costa Rican president and Nobel laureate, Óscar Arias Sánchez, for the International Telecommunications Union’s (ITU) report on the ITU’s role in cybersecurity (Arias Sánchez, Reference Arias Sánchez2008). He referred to the need to promote “peace and safety in the virtual world” as “an ever more essential part of peace and safety in our everyday lives” and the urgency of creating a “global framework” to provide cybersecurity (p. 5). He implied that this safe place within cyberspace can be implemented through intergovernmental coordination around cybersecurity practices. The result would be to create the condition of feeling secure, very much along the lines of what one expects from the concept of “human security” (Paris, Reference Paris2001; United Nations Development Program, 1994). Techniques, such as the adoption of cybersecurity best practices, Arias suggested, are tools that promote this safe world, but these tools are not themselves cyber peace. In context, it seems that peace and safety are not two separate goals but rather one: Safety as peace – either as a kind of peace or perhaps as a part of peace.
Ungoverned cyberspace is dangerous because of “the pitfalls and dangers of online predators” (Arias Sánchez, Reference Arias Sánchez2008, p. 4) who inhabit it. As a state of (albeit non-) nature, it is a Hobbesian (Hobbes, Reference Hobbes1651) world of war and crime or, more precisely, the disposition toward violence which could break out at any time. This ungoverned, dangerous world of cyberspace is to be cordoned off and, perhaps, eliminated. Global coordination on cybersecurity is thus essential to promote the condition of safety.
Hamadoun Touré, writing in the introduction to The Quest for Cyber Peace, a joint publication of the ITU and the World Federation of Scientists (WFS), similarly seems to draw upon this Hobbesian view of ungoverned cyberspace when he writes that “[w]ithout mechanisms for ensuring peace, cities and communities of the world will be susceptible to attacks of an unprecedented and limitless variety. Such an attack could come without warning” (2011, p. 7). He continues, enumerating some of the devastating effects of such an attack. Touré’s description suggests that conditions of cyberspace could break the security provided by the sovereign state (the leviathan) to its citizens. Violence is lurking just under the surface of our cyber interactions, waiting to break out. Touré, in a policy suggestion consistent with some liberal institutionalists’ thinking in international relations, understands the potential of an international regimeFootnote 4 (though he does not use that term) of agreed-upon rules that would provide the condition of cyber peace in the absence of a single authoritative ruler. Arias and Touré both envision cyberspace as having a zone of lawlessness and war and a zone of safety and peace.
Henning Wegener’s (Reference Wegener and Touré2011) chapter in The Quest for Cyber Peace defines cyber peace more expansively than Touré did. More importantly, Wegener’s ontology is subtly different from the division of cyberspace into the peaceful and violent zones I associated with Arias and Touré. Wegener writes:
The starting point for any such attempted definition must be the general concept of peace as a wholesome state of tranquility, the absence of disorder or disturbance and violence – the absence not only of “direct” violence or use of force, but also of indirect constraints. Peace implies the prevalence of legal and general moral principles, possibilities and procedures for settlement of conflicts, durability and stability.
We owe a comprehensive attempt to fill the concept of peace – and of a culture of peace – with meaningful content to the UN General Assembly. Its “Declaration and Programme of Action on a Culture of Peace” of October 1999 provides a catalogue of the ingredients and prerequisites of peace and charts the way to achieve and maintain it through a culture of peace.
By identifying cyber peace as a kind of peace rather than as a carve out of cyberspace, Wegener shifts the focus away from cyberspace as the world in which cyber peace exists or happens and, instead, connects to the material reality of the geopolitical world. The distinction is illustrated in Figure 1.1. The image on the left represents the definition invoked by Arias and Touré. The image on the right represents the definition invoked by Wegener.
4 Cyber Peace as Practices
Other interlocutors use the phrase “cyber peace” to refer to practices, which can range from using safer online platforms for cross-national communication to “cyber peace keeping” or “cyber policing” to engineering a robust, stable, and functional Internet. This approach is consistent with (though not intentionally drawing upon) what has been called the “practice turn” in international relations (Adler & Pouliot, Reference Adler and Pouliot2011; for example, Bigo, Reference Bigo2011; Parker & Adler-Nissen, Reference Parker and Adler-Nissen2012; Pouliot & Cornut, Reference Pouliot and Cornut2015). Practices constitute meaningful social realities because of three factors. First, it matters that human beings enact practices, because in doing so we internalize that action and it becomes a part of us. Second, there is both a shared and an individual component to practices. Individuals are agentic because they can act; the action has social relevance because others act similarly. Third, practices are constituted and reconstituted through patterned behavior; in other words, through “regularity and repetition” (Cornut, Reference Cornut2015). Since cyber peace is an aspiration rather than something that exists now, a practice theory focus could point toward emerging or potential practices and how they are accreting.
One example of this aspirational view of practices can be found in the 2008 report, “Cyber Peace Initiative: Egypt’s e-Safety Profile – ‘One Step Further Towards a Safer Online Environment’,” which defines cyber peace in terms of young people engaging in the practices of communicating and peacemaking.Footnote 5 According to Nevine Tewfik (Reference Tewfik2010), who summarized the findings in a presentation to the ITU, information and communications technologies (ICTs) “empower youth of any nation, through ICT, to become catalysts of change.” These practices would then result in a more peaceful condition in geophysical space. Specifically, the end result would be “to create safe and better futures for themselves and others, to address the root causes of conflict, to disseminate the culture of peace, and to create international dialogues for a harmonious world” (p. 1). The report emphasized the initiative’s efforts to promote safety of children online. An inference I draw from the presentation slides is that the dissemination of the culture of peace happens when children can engage safely with each other online. Cyberspace can be a place where children – perhaps because of their presumed openness to new ideas and relations – engage in peacemaking. Thus, the benefits of the prescribed cyber peace activities would spill over into the geophysical world.
Cyber peace is often defined as practices that maintain the stability of the Internet and connected services. (The tension between stability and peace will be discussed later.) Drawing on this definition leads advocates to argue for prescriptions of protective behaviors and proscriptions of malign behaviors to maintain the functional integrity of the global ICT infrastructure. Key to this is the connection between a stable global network of ICTs and the ability to maintain peaceful practices in the geophysical world. The WFS, for example, had been concerned with all threats to information online (“from cybercrime to cyberwarfare”), but the organization’s permanent monitoring panel on information security “was so alarmed by the potential of cyberwarfare to disrupt society and cause unnecessary harm and suffering, that it drafted the Erice Declaration on Principles of Cyber Stability and Cyber Peace” (Touré & Permanent Monitoring Panel on Information Security of the World Federation of Scientists, Reference Wegener and Touré2011, p. vii). The declaration states: “ICTs can be a means for beneficence or harm, hence also as an instrument for peace or for conflict” and advocates for “principles for achieving and maintaining cyber stability and peace” (Permanent Monitoring Panel on Information Security of the World Federation of Scientists, 2009, p. 111). These principles about how to use ICTs are, in fact, practices. By adhering to the principles and acting properly, engagements in cyberspace and ICTs promote peace in the world. The declaration seems to refer to a general condition combining life as normal without the disruptions that warlike activities cause to “national and economic security,” and life with rights, that is human and civil rights, “guaranteed under international law.”
In other words, for this declaration stability is a desired characteristic of cyberspace and peace is a desired characteristic of life in the world as a whole. However, it does not follow that stability is inherently peaceful, unless peace is tautologically defined as stability. The absence of cyber stability might harm peace and the presence of cyber stability might support peace, but the presence of stability is not itself peaceful, nor does it generate peace.Footnote 6 At best, we can say that peace is usually easier to attain under conditions of stability.
Another text focusing on cyber peace as a set of practices is the Cyberpeace Institute’s website. It first calls for “A Cyberspace at Peace for Everyone, Everywhere,” which seems to hint at cyber peace as a condition of global society, but the mission of the organization is defined primarily as the capacity to respond to attacks, and only secondarily as strengthening international law and the norms regarding conflictual behavior in cyberspace. Indeed, defense capacity is emphasized in the explanation that “The CyberPeace Institute will focus specifically on enhancing the stability of cyberspace by supporting the protection of civilian infrastructures from sophisticated, systemic attacks” (CyberPeace Institute – About Us, 2020). The ability to mount a swift defense in response to an attack does not create peace, it simply means that our defenses may be strong enough that the attacks do not disrupt the stability of the Internet and other information technologies.
These conceptualizations of cyber peace as collections of practices thus ontologize kinds of cyber peace, which are distinct, but comparable. By comparing them, we can see underlying tensions regarding what can be considered peaceful – Is it peace making or securitization (defense and stability)? – though, as noted in the descriptions above, no collection of practices is wholly of one type. Figure 1.2 depicts different collections of practices that have been bundled together as the definition of cyber peace. (For clarity, I have not shown overlaps.) All of these conceptualizations are proposed against a background of a regulatory regime of implementing and enforcing laws.
5 Cyber Peace as Both Conditions and Practices
A third category blends conditions and practices, seeing the condition of cyber peace emerge as greater than the sum of its constituent parts, which are practices. In an early iteration of his work on this concept, Scott Shackelford (Reference Shackelford2014) paints this sort of hybrid picture of cyber peace. He claims that the practices of polycentric governance related to cybersecurity spill over into a positive cyber peace:
Cyber peace is more than simply the inverse of cyber war; what might a more nuanced view of cyber peace resemble? First, stakeholders must recognize that a positive cyber peace requires not only addressing the causes and conduct of cyber war, but also cybercrime, terrorism, espionage, and the increasing number of incidents that overlap these categories.
This can happen, Shackelford suggests, through a process of building up governance on limited problems, thereby proliferating the number of good governance practices. The polycentric governance model specifically rejects a top-down monocentric approach:
[A] top-down, monocentric approach focused on a single treaty regime or institution could crowd out innovative bottom-up best practices developed organically from diverse ethical and legal cultures. Instead, a polycentric approach is required that recognizes the dynamic, interconnected nature of cyberspace, the degree of national and private-sector control of this plastic environment, and a recognition of the benefits of multi-level action. Local self-organization, however – even by groups that enjoy legitimacy – can be insufficient to ensure the implementation of best practices. There is thus also an important role for regulators, who should use a mixture of laws, norms, markets, and code bound together within a polycentric framework operating at multiple levels to enhance cybersecurity.
These interconnected, overlapping, small to medium-scale governance practices build upward in Shackelford’s model and could eventually become a thick cybersecurity regime. When the regime is thick enough, cyber peace obtains. This model relies on a securitized notion of cyber peace, despite the discussion in the text of positive cyber peace that is more far-reaching than just the absence of war. His more recent work, co-authored by Amanda Craig, expands cyber peace to include global peace-related issues and practices, including development and distributive justice. They write:
Ultimately, “cyber peace” will require nations not only to take responsibility for the security of their own networks, but also to collaborate in assisting developing states and building robust regimes to promote the public service of global cybersecurity. In other words, we must build a positive vision of cyber peace that respects human rights, spreads Internet access alongside best practices, and strengthens governance mechanisms by fostering global multi-stakeholder collaboration, thus forestalling concerns over Internet balkanization.
Figure 1.3 depicts this model of best practices developed from the ground up, ultimately producing a kind of cyber peace that exceeds the summation of all the different practices.
The point of this exercise of categorizing different definitions of cyber peace is to say that a definitional consensus has not been reached and to remind ourselves that the ontology built into our definitions matters for how we think about what sounds like a very good goal. Moreover, ontological foundations matter for how the practitioners among us craft policies in pursuit of that goal.
6 Honing the Concept of Cyber Peace
The four parts of this section critically engage further with cyber peace, pointing to conceptual elements that could be productively honed to make a sharper point. The point here is not to provide an answer of what cyber peace is or should be but, rather, to draw upon scholarship from international relations and cognate fields to uncover contradictions and missed implications of the current usage. I begin by taking a closer look at “cyber” and “peace” and then turn to the boundaries of cyber peace as a social thing, followed by a discussion of the consequences of some of the metaphors associated with cyber peace.
6.1 Unpacking the “Cyber” Element
“Cyber” is a shortening of “cybernetics,” a term introduced by Norbert Wiener, who used it to refer to the control of information machines and human groups. He emphasized: “Cybernetics takes the view that the structure of the machine or of the organism is an index of the performance” (Wiener, Reference Wiener1988, p. 57; italics in original) because the structures – that is, the properties of the machine or organism – determine what the machine or organism is able and unable to do, and what it is permitted to do, must do, and must not do. Cybernetics concerns control and order; its purpose is to be a bulwark against disorder and entropy. The shortened form quickly came to connote that which involves computers and information technology. “Cyberspace,” famously introduced in Neuromancer by William Gibson (Reference Gibson1994), rapidly became the narrative means of reimagining a communications technology (the Internet) as a place (albeit a heterotopia [Foucault, Reference Foucault1986; Piñuelas, Reference Piñuelas2008]) in which or on which people (reimagined as users) do things and to which they go. As discussed in the section on cyberspace as a condition, we then imagine cyberspace to be a state of (non-) nature apart from the real-life physical world we live in, and we think of it as dangerous because it is ungoverned or incompletely governed. Some instances of cybercrime give credence to that, though such crimes may well be subject to law enforcement by real-life police or others. The irony is that although the cyber refers to the realization of control, cyberspace is thought of as a place of lack of control, as David Lyon (Reference Lyon2015) has recognized.
More recent morphing of the usage of “cyber” turns it into a noun associated with military activity using information technology-intensive tools. This particular nominalization immediately calls to mind warnings from securitization theory (Balzacq, Reference Balzacq2005; inter alia, Buzan, Reference Buzan1993; Hansen, Reference Hansen2000; Waever, Reference Waever1996). The theory focuses on how language constrains our thinking and specifically on how language recasts situations, people, processes, relations, etc. as security threats, and leads to a creeping expansion of control by institutions that command the use of force. This should be understood as a danger rather than a deterministic outcome,Footnote 7 and I am not arguing that we should excise “cyber” from the dictionary. But I am mindful of the securitizing language that drags the concept of cyber peace back toward a sort of negative peace. As Roxanna Sjöstedt (Reference Sjöstedt2017) puts it, “If you construct a threat image, you more or less have to handle this threat.”
In short, “cyber” is complicated. The word connotes the constitution of a space outside our ordinary existence in geographical space. Cyber implies order in the form of efficient control through code and other engineered rules that ought to work well. Yet cyber also hints at disorder and even chaos, since rules are often circumvented. Additionally, the military’s appropriation of cyber as a shortening of “cyber conflict” or “cyber war” risks turning cyber peace into an oxymoron, taking on the sense of martial peace. That linguistic change may condition thinking and securitize the very thing that ought to be desecuritized.
6.2 Unpacking the “Peace” Element
If anything, peace is even more complicated than cyber. Peace is the main focus of the entire field of peace studies, and it is also an important topic for scholars of conflict management and conflict resolution, as well as of international relations more broadly. Peace always sounds good – better than war, at any rate.Footnote 8 But the war-peace dichotomy may hide the definitional complexity. Johann Galtung differentiates between “negative peace,” understood as the absence of violence in a relationship and “positive peace,” a more complex term that is often used to refer to relations that are just, sustainable, and conducive human flourishing in multiple ways (see also Shackelford, Reference Shackelford2016). In its most expansive connotation, the relationship of positive peace is tied to peacebuilding and, ultimately, to amity. The main thrust of this volume envisions cyber peace as positive cyber peace. But the caveats articulated by Paul Diehl (Reference Diehl2016, Reference Diehl2019) about positive peace and its usefulness as a social type of thing are worth considering. He notes, first of all, the lack of consensus among positive peace researchers about what is actually included in it:
Conceptions include, among others, human rights, justice, judicial independence, and communication components. Best developed are notions of “quality peace,” which incorporate the absence of violence, but also require things such as gender equality in order for societies to qualify as peaceful (2019).
The lack of clarity over what positive peace is has, Diehl suggests, epistemological consequences.
Many of [the things that are required for societies to qualify as peaceful], however, lack associated data and operational indicators. Research on positive peace is also comparatively underdeveloped.Footnote 9
While Diehl finds the concept of positive peace desirable, he warns that the concept is underdeveloped in three important ways, and each of these resonates with considerations about cyber peace.
First, what are the dimensions of peace and why is so little known about how the many dimensions interact? His concern should provoke cyber peace theorists to consider whether the four pillars are dimensions in Diehl’s terms and, if so, whether they comprise all the dimensions. Given the potential for multiple dimensions of peace, perhaps only some are required for the situation to be deemed peaceful. Alternatively, perhaps cyber peace is actually an ideal type, and the different dimensions make a situation more or less cyber peaceful.
Second, Diehl also raises the concern about an undertheorized assessment of how positive peace varies across all forms of social aggregation (“levels of analysis” in international relations scholarship). How does positive peace manifest differently in different contexts? For cyber peace, this critique points to the not fully developed idea of how the scale works in cyberspace and how that matters. A neighborhood listserv is different from Twitter, but shares some characteristics relevant to peace – flame wars and incivility are a problem in both environments. But the risks of manipulation of communication by foreign adversaries on Twitter and the kinds of policies that would be required to make peace on Twitter means, I suggest, that the environment of cyberspace is similarly complicated with regard to scale.
Third, Diehl (Reference Diehl2019) notes that “some positive peace concepts muddle the distinction between the definitional aspects of peace and the causal conditions needed to produce peaceful outcomes.” I think that the four cyber peace pillars may fall prey to this lack of conceptual clarity and, perhaps, to a sort of tautology.
7 Boundaries
The next topic is boundaries and the distinctions that create them. An argument can be made that we are witnessing the creation of cyber peace as a new social entity, a thing. Andrew Abbott (Reference Abbott1995) suggests new things emerge through a process of yoking together a series of distinctions. This is an iterative process of asking what are the characteristics of the new thing and what are not? “Boundaries come first, then entities” (p. 860). Cyber peace has yet to cohere into the sort of enduring, reproducing institution that would count as one of the Abbott’s new social entities, but we do see the setting of “proto-boundaries” that may become stable when we examine the processes of trying to name and implement cyber peace. In this section, I discuss three “points of difference” that are important for the concretization of cyber peace: Between (1) cyber peace and cyber aggression, (2) cyber peace/aggression and cyber lawfulness/crime, and (3) associating multistakeholder cyber governance with cyber peace and (implicitly) associating other forms of cyber governance with non-cyber peace.
A basic distinction is between the common sense understanding of what constitutes cyber peace versus cyber aggression. The case of the 2007 cyberattack against Estonia is a clear example of cyber aggression. A more complicated case is Stuxnet, the malicious computer worm discovered in 2010, which was deployed against computer equipment used in the Iranian nuclear program. One interpretation of the Stuxnet operation would name it cyber aggression. A different interpretation would find the use of this cyber weapon de-escalatory when considered in its broader geopolitical context. Stuxnet decreased the rapid ramping up of Iran’s ability to develop nuclear arms, which made an attack with full military force unnecessary. On the one hand, information technology was used for a hostile purpose. On the other, the targeted cyber attack removed a significant threat with apparently no loss of life (though the spread of the worm through networks resulted in monetary losses). Perhaps in this case it makes sense to think of the possibility that Stuxnet was actually consistent with cyber peace. (See also Brandon Valeriano and Benjamin Jensen’s assessment of the potential de-escalatory function of cyber operations in Chapter 4 of this volume.)
But is it possible to thread that needle – to use low-intensity, carefully targeted cyber operations (limiting their harmful consequences) to avoid more hostile interventions – as a matter of strategy? And if so, do such actions promote cyber peace? The 2018 United States Department of Defense cyber strategy tries to do this with its “defend forward” approach to cyber security, and by “continuously engaging” adversaries (United States Cyber Command, 2018, pp. 4, 6). The implicit analogy to nuclear deterrence likely conditions decision makers’ expectations, in my view. As Jason Healey explains, proponents of the strategy seek stability through aggressiveness. They assert that “over time adversaries will scale back the aggression and intensity of their operations in the face of US strength, robustly and persistently applied” (2019, p. 2). But Healey is cautious – noting the risk of negative outcomes – as persistent engagement could produce an escalatory cycle. In short, further characterizing the nature of cyber peace requires achieving greater clarity in differentiating between the kinds of cyber aggression that promote more peaceful outcomes rather than less.
The second point of distinction creates a boundary between problems that involve criminal violations versus those that rise to the level of aggressive breaches of cyber peace. Unlike cyber aggression, cybercrime, I suggest, is not the opposite of cyber peace. The scams, frauds, thefts, revenge porn postings, and pirated software that are everyday cybercrimes seem to me to be very bad sorts of things, but as policy problems they generally fall into the category of not lawful, rather than not peaceful. A society can be peaceful or cyber peaceful even in the presence of some crime; all societies have at least some crime. Countering cybercrime requires cyber law enforcement and international collaboration to deal with transnational crimes. Countering cyber aggression requires efforts toward (re)building cyber peace. These might include diplomacy, deterrence, or – the less peaceful alternative – aggression in return. Automatically folding cybercrime into the category of things that threaten cyber peace risks diluting the meaningfulness of cyber peace.
A caveat must be added, however. The boundary between cybercrime and cyber aggression is complicated by what Marietje Schaake describes as “the ease with which malign actors with geopolitical or criminal goals can take advantage of vulnerabilities across the digital world” (2020, emphasis added). The “or” should be understood as inclusive: “and/or.” Cybercrimes can be used to attain geopolitical goals (acts of cyber aggression), criminal goals, or both. The 2017 “WannaCry” ransomware attack, attributed to North Korea, provides an example of both cyber aggression and cybercrime. Initially, WannaCry was assumed to be the work of an ordinary criminal, but once North Korea’s involvement became apparent, the evident geopolitical aim and the attack’s aggressiveness became more important. We would sort WannaCry and similar aggressive actions in the category of “threats” to cyber peace rather than into the category of (only) “not lawful.”
Yet cybercrimes can, paradoxically, be tools for cyber peace too. Cybercrimes involving activities in support of human rights provide oppressed individuals and groups opportunities to fight back against their oppressors. Circumventing repressive surveillance technology might be an example of this. In that case, breaking the law could, arguably, be an example of cyber peace rather than a difference from it.
Third, the cyber peace pillar on multistakeholder collaboration assumes a distinction between cyber peace and non-cyber peace in terms of forms of governance. The definition of cyber peace includes a strong preference for developing “governance mechanisms by fostering multistakeholder collaboration” (Shackelford, Reference Shackelford2016). Shackelford sees bottom-up multistakeholder governance as a form of polycentricity and as good in itself. But both polycentricity and multistakeholderism are problematic points of distinction for what is or is not cyber peaceful. Michael McGinnis and Elinor Ostrom (Reference McGinnis and Ostrom2012, p. 17), commenting on a classic article by Vincent Ostrom, Charles Tiebout, and Robert Warren (Reference Ostrom, Tiebout and Warren1961), call attention to how the authors:
[…] did not presume that all polycentric systems were automatically efficient or fair, and they never denied the fundamentally political nature of polycentric governance. The key point was that, within such a system, there would be many opportunities for citizens and officials to negotiate solutions suited to the distinct problems faced by each community.
A multistakeholder form of polycentric governance, however, involves not just citizens and officials negotiating solutions, but firms and other private actors as well, which potentially skews that political nature because the resources the different stakeholders have to draw upon in their negotiations can differ by orders of magnitude. As Michael McGinnis, Elizabeth Baldwin, and Andreas Thiel (Reference McGinnis, Baldwin and Thiel2020) explain, polycentric governance can come to suffer from dysfunction because of structural forms that allow some groups to have outsized control over decision-making processes. And this is certainly true for a cyberspace governance organization like the Internet Corporation for Assigned Names and Numbers (ICANN), where the industry interests have significantly more say in outcomes than users. Furthermore, whereas polycentric governance evolves organically out of efforts to solve problems of different but related sorts, multistakeholderism is designed into the governance plan from its initiation, as was clearly the case with ICANN.
Moreover, as Kavi Joseph Abraham (Reference Abraham2017) explains, stakeholderism is actually not about creating better forms of democratic governance. Rather, its origin story can be traced to “systems thinking” in engineering and related management practices that emphasized the need for control of complexity. Complex systems, as engineers came to understand, involved multiple inputs, feedback loops, contingencies, outputs, etc. Controlling such systems required coordination of all those factors. That idea of coordinating all inputs into processes spilled over into the academic field of business management, where the firm came to be seen as a complex system. Control involved the coordination of material inputs plus the coordinated activity and decision-making of people – workers, managers, customers, shareholders, suppliers, communities affected by effluents from the firm’s factory, etc. Groups that had a role to play were thus identified as “stakeholders,” but unlike the assumed equality of citizens in a democracy, there was never any assumption that stakeholders should be equal or equivalent. Managing is about dealing with complexity, not about governing while protecting rights. We should not assume that multistakeholderism is uniquely suited to be the governance form for cyber peace.
8 Metaphors
Finally, I raise the issue of metaphors and how they enable and limit thinking in some way (Cienki & Yanow, Reference Cienki and Yanow2013; Lakoff & Johnson, Reference Lakoff and Johnson1980). First, is cyber peace the right metaphor that describes the sought-after goal? How would cyber peace be different from cyber order, cyber community, or cyber health? Given that much of the activity that goes on in cyberspace is commercial and given that commercial transactions are generally competitive rather than peaceful, does it make sense to talk about cyber peace when the goal is not friendly relations but, rather, a competitive market in which exchange can happen without the disruption of crime? How is cyber peace distinct from a well-functioning cyber market? Yet another alternative would be to rethink the marketization of cyberspace and to imagine instead a regulated utility and the provision of cyber services to the global public.
Moreover, by invoking peace in the context of what is often intended to be best practices of cyber security to maintain a stable Internet we fall prey to “inadvertent complicity” (Alker, Reference Alker1999, p. 3), distracting attention from real violence. Overusing the peace metaphor flattens the differences between deeply consequential and ethically crucial peacemaking in the world, and getting people to use better passwords. We can see this flattening dynamic even when considering initiatives promising to save lives (anti-cyberbullying initiatives as a cyber peace practice, for example). I think cyberbullying is truly awful, and in the United States, it is a crime. It is often also a mental health challenge, both for the bully and bullied. It’s a social pathology and a behavioral problem. It is also a cyber governance issue, as E. Nicole Thornton and I discussed in an article on the difficulties faced by owners of social media websites trying to prevent hijacking of their sites by bullies (Marlin-Bennett & Thornton, Reference Marlin-Bennett and Thornton2012). But is it useful to think of cyberbullying as a violation of cyber peace? (And doesn’t doing so give the bully too much power?) Cyber peace becomes hyperbole, notwithstanding the well-meaning campaigns such as that of the Cyber Peace Foundation (CyberPeace Corps, 2018). Peace is a strong word. By invoking peace (and war by implication), context and historicity can be washed away, obscuring the difference between cyberbullying and Russian cyber election disruptions that threaten to do grave harm to democracies.
9 A Final Thought
In the oft-cited special issue of International Organization on international regimes, the final article was written by Susan Strange (Reference Strange1982). The title was “Cave! hic dragones: a critique of regime analysis.” A note in smaller type at the bottom of the page reads “The title translates as ‘Beware! here be dragons!’ -an inscription often found on pre-Columbian maps of the world beyond Europe.” The article, she explains in the first paragraph, does not ask “what makes regimes and how they affect behavior, it seeks to raise more fundamental questions about the questions.” Her intent, instead, was to ask whether the regime concept is at all a useful advance for international political economy and world politics scholarship. She famously decided that the concept of the international regime was a bad idea for seven reasons (five main and two indirect). She was wrong. The concept of the international regime has endured and is widely accepted, and it has been useful. But I do not think that the concept of an international regime would have been nearly as well integrated into our scholarly lexicon now if it had not been for Strange’s intervention. Over the subsequent years, proponents of the regime concept had to work to improve the concept to counter her claims, which were really quite fair, if expressed bluntly.
I do not have as negative an opinion of cyber peace as Strange did of international regimes, but her charge that the concept of international regimes was “imprecise and woolly” seems to fit the concept of cyber peace, as well. By analyzing the different meanings ascribed to cyber peace, I hope to do what Strange, intentionally or not, did for regimes theory: Make it better.